Specification-based anomaly detection
First Claim
Patent Images
1. A method for network intrusion detection on a network comprising a state machines for processing a plurality of network packets comprising the steps of:
- determining a state-machine specification for at least one network protocol of interest;
determining at least one statistical property of interest, wherein each statistical property of interest is associated with a property of the state-machine;
determining, in a training mode, statistics corresponding to the at least one statistical property of interest;
initializing a detection mode with the statistics corresponding to the at least one statistical property of interest;
determining observed statistics corresponding to the at least one statistical property of interest in the detection mode according to network packets processed by the state-machines; and
comparing the at least one statistical property of interest to the observed statistics corresponding to the at least one statistical property of interest determined in detection mode, and upon determining a significant deviation generating an alarm.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for network intrusion detection on a network comprising a plurality of state machines for passing a plurality of network packets comprises determining frequency distributions for each transition within each state machine, determining the distributions of values of each state machine on each transition, and comparing the distributions to observed statistics in the network, and upon determining that the observed statistics are outside defined limits, detecting an anomaly.
78 Citations
11 Claims
-
1. A method for network intrusion detection on a network comprising a state machines for processing a plurality of network packets comprising the steps of:
-
determining a state-machine specification for at least one network protocol of interest;
determining at least one statistical property of interest, wherein each statistical property of interest is associated with a property of the state-machine;
determining, in a training mode, statistics corresponding to the at least one statistical property of interest;
initializing a detection mode with the statistics corresponding to the at least one statistical property of interest;
determining observed statistics corresponding to the at least one statistical property of interest in the detection mode according to network packets processed by the state-machines; and
comparing the at least one statistical property of interest to the observed statistics corresponding to the at least one statistical property of interest determined in detection mode, and upon determining a significant deviation generating an alarm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for network intrusion detection on a network comprising a plurality of state machines for passing a plurality of network packets comprising the steps of:
-
determining frequency distributions for each transition within each state machine;
determining the distributions of values of each state machine on each transition; and
comparing the distributions to observed statistics in the network, and upon determining that the observed statistics are outside defined limits, detecting an anomaly.
-
-
11. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for for network intrusion detection on a network comprising a plurality of state machines for passing a plurality of network packets, the method steps comprising:
-
determining frequency distributions for each transition within each state machine;
determining the distributions of values of each state machine on each transition; and
comparing the distributions to observed statistics in the network, and upon determining that the observed statistics are outside defined limits, detecting an anomaly.
-
Specification